Ch 14.9 - BYOD
Bring your own device (BYOD)
Under BYOD, employees use personal devices for work. The employer remains the controller for work-related personal data processed on the device, yet the device also holds the employee's private-life data the employer has no lawful reason to access. Devices are vulnerable to loss or misuse outside the workplace, so employers should set a BYOD policy, secure storage and transfers, and plan for departure/loss - e.g. via mobile device management (MDM) software.
- The employer remains responsible as a controller for any personal data processed on the device for work purposes using the work email settings.
- The device also holds the employee's personal-life data the employer would not usually have a lawful reason to access.
- Outside the workplace, the device is vulnerable to loss or misuse.
| Step | Detail |
|---|---|
| Set a BYOD policy | Explain how employees can use BYOD and their responsibilities |
| Be clear on storage | Where device-processed data is stored and what security measures apply |
| Secure transfers | Ensure transfers from device to company servers are secure against interception |
| Plan for exit/loss | Manage data when the employee leaves or the device is lost/stolen - MDM can locate devices and remove data on demand |
Controller stays the controller
The key BYOD point: the employer remains the controller for work data on a personal device, but must not stray into the employee's private-life data it has no lawful reason to access.
Key terms - quick answers
What is “BYOD”?
Bring your own device; employees use personal smartphones/tablets for work communications, mixing personal and work data.
What is “BYOD policy”?
A policy explaining how employees may use BYOD, their responsibilities, storage, security and data removal.
What is “Mobile device management (MDM)”?
Software that can locate devices and remove data on demand, e.g. when an employee leaves or a device is lost/stolen.